Can dm_crypt be used on the Drobo FS volumes?

tz1 · February 14, 2011, 6:36pm

I’m interested in a Drobo FS and have done Linux coding. Apparently they use standard linux volumes for the disks, and if so, it should be easy to add LUKS/dm_crypt support so that the data would be encrypted on the volume.

My concern is if a drive is pulled out (or worse, swapped) any data on that drive might be scattered, but it would still be readable. This makes the FS less useful for applications that would require security (medical data, accounting, credit cards).

I’m not looking initially for NSA grade encryption, just something that would render the data inaccessible for a “smash and grab” of the drobo or any of its drives. At power on or reset, or adding a new drive, you would need to use a web page or telnet session to enter a passphrase (same phrase across drives, the keys might vary).

With the SDK, can I get that deep into the system so I can add this feature?

TheCompWiz · March 21, 2011, 1:25pm

tz1:

I’m interested in a Drobo FS and have done Linux coding. Apparently they use standard linux volumes for the disks, and if so, it should be easy to add LUKS/dm_crypt support so that the data would be encrypted on the volume.

My concern is if a drive is pulled out (or worse, swapped) any data on that drive might be scattered, but it would still be readable. This makes the FS less useful for applications that would require security (medical data, accounting, credit cards).

I’m not looking initially for NSA grade encryption, just something that would render the data inaccessible for a “smash and grab” of the drobo or any of its drives. At power on or reset, or adding a new drive, you would need to use a web page or telnet session to enter a passphrase (same phrase across drives, the keys might vary).

With the SDK, can I get that deep into the system so I can add this feature?

I seriously doubt you would be able to (easily) build a kernel module like dm_crypt… but as an alternative… you could always try throwing a truecrypt volume on one of the shares… The only down-side to it is… you can’t really share that volume with multiple users… but the result would be nicely encrypted.

tz1 · March 21, 2011, 1:49pm

Truecrypt won’t work because then the entire container becomes one huge file and takes up space even if it is nearly empty.

The way they do things all but prevents nearly all whole-volume encryption, and you can’t do file-by-file over the network transparently.

The encryption has to be done on the individual drives.

If it is linux, then the gpl source should be there to build the module. Actually using it with the associated programs is a different thing.

ricardo · March 21, 2011, 3:44pm

The source is available, you just have to request it from DRI using a form on the support forum. I have requested it and they were very helpful.

However, as TheCompWiz mentioned, compiling that module may prove to be quite the pain, because not only you have to get the source, but you also have to somehow cross-compile that module. Currently, as far as I know, no one has ported a complete toolchain to the FS, so no compiling on the FS.

If you figure how to cross compile kernel modules, please share with the rest of us. I can think of a few modules I want on the FS (kernel NFS, TAP/TUN for VPN, JFS, …).

ricardo · March 22, 2011, 2:17pm

Oh the irony. I managed to figure out the hardware of the DroboFS. It is a Marvell MV78200 board.

You know what is one of the features of that specific model? A Cryptographic Accelerator (chapter 10). In other words, not only you should be able to compile the kernel modules for encrypted filesystems, but it should be fast!